Cisco ASA L2TP 远程访问 VPN,地址由 DHCP 分配

网络工程 思科-ASA dhcp l2tp
2022-03-05 12:38:02

我有一个 ASA,并设置了有效的 Cisco VPN 客户端配置。我正在尝试逐步淘汰 Cisco VPN 客户端,最初支持 L2TP。

Cisco 客户端策略让最终用户从分配特定子网的 DHCP 服务器获取他们的地址。想要坚持使用该子网,因为它已经有 nat-exempt 和 hairpin-nat 规则,可以将客户端转发到其他站点。

我也split-tunnel-network-list申请了。

我可以让最终用户 L2TP 客户端连接,完全没有问题。我可以让 L2TP 客户端从 DHCP 服务器获取其地址(通过服务器租约信息和通过 确认show vpn-sessiondb)。但是,没有流量通过,因为客户端要么永远不会接收或丢弃通常由 应用的静态路由split-tunnel-network-list,而是选择不正确的路由。

如果我取出dhcp-servertunnel-group使用任意ip local pool选项,L2TP 客户端会根据split-tunnel-network-listACL 添加路由,但不会通过流量,因为 nat-exempt 和 hairpin-nat 与ip local pool范围不匹配。

如果dhcp-server从隧道组中取出并使用与 DHCP 服务器相同的子网ip local pool(即匹配 nat 规则),L2TP 客户端将返回不添加路由。

知道dhcp-server我可以将所有 nat-exempt 和 hairpin-nat 规则加倍,因此子网和. 都有规则ip local pool,但我不明白为什么必须这样做。

是什么阻止了 ASA 和 L2TP 客户端之间正确提供/接收/应用的路由?

(下面经过净化,希望相关的配置——实际配置中有更多的 VPN 和站点,因此不希望更改子网)

interface Redundant1
 nameif OUTSIDE
 security-level 0
 ip address p.e.e.r 255.255.255.0
!
interface Redundant2.1
 vlan 1
 nameif INSIDE
 security-level 100
 ip address 172.21.0.10 255.255.240.0
!

object network VPN_CLIENT_LAN
 subnet 172.21.255.0 255.255.255.0
object network HAIRPIN_NAT_IP
 host 172.21.0.1
object network IDONTWANTTHIS_POOL_LAN
 subnet 192.168.254.0 255.255.255.0

object-group network HEADOFFICE_LAN
 network-object 172.21.0.0 255.255.240.0
object-group network BRANCHOFFICE_LAN
 network-object 172.21.16.0 255.255.240.0
object-group network DATACENTRE1_LAN
 network-object 172.27.0.0 255.255.0.0
object-group network DATACENTRE2_LAN
 network-object 172.28.0.0 255.255.0.0
object-group network SITE_LANS
 group-object HEADOFFICE_LAN
 group-object BRANCHOFFICE_LAN
 group-object DATACENTRE1_LAN
 group-object DATACENTRE2_LAN
object-group network CLIENT_VPN_ACCESSIBLE_NETWORKS
 group-object SITE_LANS

access-list CRY_RA_OUTSIDE extended permit ip any object VPN_CLIENT_LAN

access-list ACL_CLIENT_VPN_SPLIT_TUNNEL extended permit ip object-group CLIENT_VPN_ACCESSIBLE_NETWORKS object VPN_CLIENT_LAN 

ip local pool IDONTWANTTHIS_POOL 192.168.254.1-192.168.254.254 mask 255.255.255.255

nat (OUTSIDE,OUTSIDE) source dynamic VPN_CLIENT_LAN HAIRPIN_NAT_IP destination static CLIENT_VPN_ACCESSIBLE_NETWORKS CLIENT_VPN_ACCESSIBLE_NETWORKS
nat (INSIDE,INSIDE) source static HEADOFFICE_LAN HEADOFFICE_LAN destination static VPN_CLIENT_LAN VPN_CLIENT_LAN no-proxy-arp route-lookup
nat (INSIDE,INSIDE) source static HEADOFFICE_LAN HEADOFFICE_LAN destination static SITE_LANS SITE_LANS no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE) source static HEADOFFICE_LAN HEADOFFICE_LAN destination static IDONTWANTTHIS_POOL_LAN IDONTWANTTHIS_POOL_LAN no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE) source static HEADOFFICE_LAN HEADOFFICE_LAN destination static VPN_CLIENT_LAN VPN_CLIENT_LAN no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE) source static HEADOFFICE_LAN HEADOFFICE_LAN destination static SITE_LANS SITE_LANS no-proxy-arp route-lookup
!
nat (INSIDE,OUTSIDE) after-auto source dynamic HEADOFFICE_LAN interface destination static ANY_IPV4 ANY_IPV4

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1-TRANSPORT esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1-TRANSPORT mode transport    

crypto dynamic-map CRY_RA_OUTSIDE 10 match address CRY_RA_OUTSIDE
crypto dynamic-map CRY_RA_OUTSIDE 10 set ikev1 transform-set ESP-3DES-MD5
crypto dynamic-map CRY_RA_OUTSIDE 10 set security-association lifetime seconds 28800
crypto dynamic-map CRY_RA_OUTSIDE 10 set reverse-route
crypto dynamic-map CRY_RA_OUTSIDE 20 set ikev1 transform-set ESP-AES128-SHA1-TRANSPORT
crypto dynamic-map CRY_RA_OUTSIDE 20 set security-association lifetime seconds 3600
crypto dynamic-map CRY_RA_OUTSIDE 20 set reverse-route
crypto map CRY_L2L_OUTSIDE 65535 ipsec-isakmp dynamic CRY_RA_OUTSIDE
crypto map CRY_L2L_OUTSIDE interface OUTSIDE
crypto isakmp identity address

group-policy GPO_CISCO_CLIENT_VPN internal
group-policy GPO_CISCO_CLIENT_VPN attributes
 dns-server value 172.21.1.1 172.21.1.2
 dhcp-network-scope 172.21.255.0
 vpn-idle-timeout 1800
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL_CLIENT_VPN_SPLIT_TUNNEL
 default-domain value foo.local

group-policy GPO_L2TP_CLIENT_VPN internal
group-policy GPO_L2TP_CLIENT_VPN attributes
 dhcp-network-scope 172.21.255.0
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL_CLIENT_VPN_SPLIT_TUNNEL
 default-domain value foo.local
 intercept-dhcp enable
 nac-settings none

tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (OUTSIDE) AAA_WORKING_RADIUS_SETUP
 default-group-policy GPO_L2TP_CLIENT_VPN
 dhcp-server 172.21.1.1
 dhcp-server 172.21.1.2    
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 120 retry 2
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2

tunnel-group GPO_CISCO_CLIENT_VPN type remote-access
tunnel-group GPO_CISCO_CLIENT_VPN general-attributes
 authentication-server-group (OUTSIDE) AAA_WORKING_RADIUS_SETUP
 default-group-policy GPO_CISCO_CLIENT_VPN 
 dhcp-server 172.21.1.2
 dhcp-server 172.21.1.1
tunnel-group GPO_CISCO_CLIENT_VPN ipsec-attributes
 ikev1 pre-shared-key *****

(使用dhcp-server配置时添加的路由, p.e.e.rASA的外部IP在哪里)

172.21.0.0     mask 255.255.0.0    gw p.e.e.r  if 172.21.255.1

(使用任意address-pool IDONTWANTTHIS_POOL配置时添加的路由)

172.21.0.0     mask 255.255.240.0  gw on-link  if 192.168.254.1
172.21.16.0    mask 255.255.240.0  gw on-link  if 192.168.254.1
172.27.0.0     mask 255.255.0.0    gw on-link  if 192.168.254.1
172.28.0.0     mask 255.255.0.0    gw on-link  if 192.168.254.1
192.168.254.0  mask 255.255.255.0  gw p.e.e.r  if 192.168.254.1
0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇思科/瞻博网络之间的 mLACP/MC-LAG 下一篇DNS无法通过VPN解析